• When you enable manager access on a data interface, the threat defense forwards incoming management
traffic over the backplane to the Management interface.
• For outgoing management traffic, the Management interface forwards the traffic over the backplane to
the data interface.
Manager Access Requirements
Manager access from a data interface has the following limitations:
• You can only enable manager access on a physical, data interface. You cannot use a subinterface or
EtherChannel. You can also use the management center to enable manager access on a single secondary
interface for redundancy.
• This interface cannot be management-only.
• Routed firewall mode only, using a routed interface.
• PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support
between the threat defense and the WAN modem.
• The interface must be in the global VRF only.
• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the
management center. Because the Management interface gateway will be changed to be the data interfaces,
you also cannot SSH to the Management interface from a remote network unless you add a static route
for the Management interface using the configure network static-routes command.
High Availability Requirements
When using a data interface with device high availability, see the following requirements.
• Use the same data interface on both devices for manager access.
• Redundant manager access data interface is not supported.
• You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used,
including DDNS and low-touch provisioning.
• Have different static IP addresses in the same subnet.
• Use either IPv4 or IPv6; you cannot set both.
• Use the same manager configuration (configure manager add command) to ensure that the connectivity
is the same.
• You cannot use the data interface as the failover or state link.
Low-Touch Provisioning Network
The following figure shows a typical network deployment for the firewall where:
• The management center is at central headquarters.
• The threat defense uses the outside interface for manager access.
• Either the threat defense or management center needs a public IP address or hostname to allow the
inbound management connection, although you do not need to know the IP address for registration. For
pre-7.2(4) and 7.3 threat defense versions, the management center needs to be publicly reachable.
Cisco Firepower 2100 Getting Started Guide
47
Threat Defense Deployment with a Remote Management Center
How Remote Management Works
To Next Page
Loading...
Need help?
General